Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to Audit an ERP System via the Risk Management Route Presented by: Gabriel Lung ISACA London Chapter Events 2003/2004 ABN-AMRO, 250 Bishopsgate, London.

Published byBritney Johns Modified over 9 years ago

Similar presentations

Presentation on theme: "How to Audit an ERP System via the Risk Management Route Presented by: Gabriel Lung ISACA London Chapter Events 2003/2004 ABN-AMRO, 250 Bishopsgate, London."— Presentation transcript:

1 How to Audit an ERP System via the Risk Management Route Presented by: Gabriel Lung ISACA London Chapter Events 2003/2004 ABN-AMRO, 250 Bishopsgate, London 27 May 2004

2 Disclaimer This presentation is based solely on my view and not that of my company

3 Introduction 4Risk Management in BAA corporate governance risk management process and methodology 4The principle of trust 4The ERP rationale and coverage 4The ERP audit the RM way 4Lessons Learnt 4Q&A

4 BAA Business Activities Airport Management Airport retail management Property Development Duty free retailing Train operations Designer outlets

5 Turnbull/combined Code Requirements 4BAA must report annually on its’ systems of internal: financial control operational control compliance control risk management process 4The majority of assurance will come from management

6 Risk Management Process MB XC Corporate Risk Director (Key Corporate Risks) How are these key risks managed ? Residual Operational Risks Key Operational Risks This is how Local Risk Management GIA Audit This GIA Audit This

7 Risk Management Stages Business Objective Risk The identification of those things that would PREVENT an objective from being achieved Inherent Level The likelihood and consequence of risk crystallisation before mitigating actions (controls) have been put in place Control Those actions that, if taken, will reduce either the likelihood or consequence of a risk crystallising Residual Level The likelihood and consequence of risk crystallisation after mitigating actions (controls) have been put in place Insurance The risk can sometimes be reduced (transferred) by insurance Retained Level The level of risk formally accepted by the organisation.

8 The Principle of Trust Do you trust your clients?

9 On What Basis Do We Trust Them? Based on: 4The strength of the control environment organisation methods & practices culture & behaviour 4Previous audits - these indicate strong internal controls The caveat is that: 4We trust but reserve the right to verify

10 The Rationale of Investing in An ERP IT, HR & Procurement Silo One Silo Two Silo Three The Business Support Centre The Business Support Centre Cultivates Better Customer Relationship s Takes Calculated Risks Control E. R. P.

11 Scope of the ERP (What does it cover?) 4 Resource, Develop & Manage People (RDMP) 4 Plan & Develop the Business (PDB) 4 Acquire & Maintain Asset (AMA) 4 Others (income and financial ledgers)

12 Audit Drivers 4 Corporate Governance (Turnbull & LSE) 4 Audit & Assurance 4 Management Requests

13 Pre-Audit Assessment 8 No formal business risk register 8 Lack of practical experience in assessing risks by process management 4 The ERP system was subject to regular audits before it went live 4 Process management believed that checks and balances are in place and operating

14 What did we do before the audit? 4 Gave a full day risk management training course to key business process managers 4 Facilitated initial risk assessment workshops 4 Provided feedback on initial risk registers and ongoing advice on the risk management methodology 4 Agreed with management that we would be returning to audit the risk registers and processes

15 Phase 1 Audit Focus To review how well management identified risks in the ERP processes that could threaten the achievement of business objectives

16 What did they do? 1/2

17 What did they do? 2/2 (This example is for demonstration only) AM

18 How Do We Assess Them? Inherent Risks Status of controls Residual Risks An example)

19 What We Found? 4 Management gained confidence in the risk management process: All key risks were identified Risks were aligned with business objectives Controls were reasonably well specified 8 However, the control monitors and early warning indicators had not been explicitly identified

20 Remedial Actions 4 A formal project board was established with Main Board representation and a dedicated project manager to oversee the detailed design of ERP controls 4 More risk assessment workshops were carried out 4 Further controls were improved

21 Phase 2 Audit Focus To review how well the designed controls and associated embedded monitors address the risks identified in phase 1

22 What We Found This Time 4 Project Board is working effectively in accordance to the project charter 4 Risks and controls are well designed 8 However, more work is still required in the design of suitable embedded monitors and early warning indicators (Management has sought assistance from GIA to remedy this situation)

23 What We Did? 4A half day workshop was given to 15 key process managers specifically on the design of embedded monitors and early warning indicators including: good and bad examples 4 case studies relevant to our business for syndicate work group presentation of results to each other 4Provided continuous support to all process managers who required assistance on the risk management methodology

24 Embedded Monitors Design Methodology

25 Phase 3 Audit Focus 4 In phase 1, we examined how well management identified risks in the ERP processes that could threaten the achievement of business objectives 4 In phase 2, we reviewed how well the designed controls and associated embedded monitors address the risks identified in phase 1 4 In the final phase,we carried out an audit to review how well the designed controls and associated embedded monitors are working in practice over the ERP processes

26 Phase 3 – What We Found? No major issues identified in our audits and that: 4 Management has established formal governance structures for reviewing embedded monitors 4 Formal Service Level Agreement (SLA) established between the Business Support Centre (BSC) and BAA airports 4 Key stakeholders have held regular meetings to evaluate SLA performance and to prescribe remedial actions for areas requiring improvement

27 What We Have Learned 4 Auditors increasingly demand consultancy skills 4 Audit and consultancy work well together if the assurance role is segregated 4 Our method would not have worked in a different organisation culture (we have full support from Top Management) 4 Risk management is the catalyst to facilitate management in achieving their objectives 4 Improving risk management maturity of an organisation requires a vigorous process

28 Risk Management Maturity Continuum (Among the ERP Process Managers) NoviceCompetentProficientExpert Before After

29 Could We Have Done It Differently? 4 Yes – except that the audit department would need to be 2-3 times our current size or we would need to reduce the level of assurance provided to Management risking non-compliance to the corporate governance requirement

30 Questions?

31 How to Audit an ERP System via the Risk Management Route Presented by: Gabriel Lung ISACA London Chapter Events 2003/2004 ABN-AMRO, 250 Bishopsgate, London 27 May 2004

Download ppt "How to Audit an ERP System via the Risk Management Route Presented by: Gabriel Lung ISACA London Chapter Events 2003/2004 ABN-AMRO, 250 Bishopsgate, London."

Similar presentations

A Joint Code of Practice Objectives and Summary Presentation

A Joint Code of Practice Objectives and Summary Presentation
Murdoch University RISK MANAGEMENT Senate Induction.

Murdoch University RISK MANAGEMENT Senate Induction.
Auditing, Assurance and Governance in Local Government

Auditing, Assurance and Governance in Local Government
Risk Management Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.

Risk Management Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.
Development of internal control: methodology and responsibility

Development of internal control: methodology and responsibility
It’s Time to Talk About Risk and Control

It’s Time to Talk About Risk and Control
Executive Insight through Enhanced Enterprise Risk Management Leverage Value From Your Risk Management Investment.

Executive Insight through Enhanced Enterprise Risk Management Leverage Value From Your Risk Management Investment.
Chapter 3 Project Initiation

Chapter 3 Project Initiation
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
Institute of Municipal Finance Officers & Related Professions

Institute of Municipal Finance Officers & Related Professions
IS Audit Function Knowledge

IS Audit Function Knowledge
Risk-Focused Examinations David Vacca, Assistant Director – Insurance Analysis & Information Services, NAIC Welcome to the © 2009 The National Association.

Risk-Focused Examinations David Vacca, Assistant Director – Insurance Analysis & Information Services, NAIC Welcome to the © 2009 The National Association.
ISO 9001 Interpretation : Exclusions

ISO 9001 Interpretation : Exclusions
By Saurabh Sardesai www.starvaluemodel.com October 2014.

By Saurabh Sardesai October 2014.
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.

18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
NAIC Review of ERM & Internal Controls David Altmaier Florida Office of Insurance Regulation.

NAIC Review of ERM & Internal Controls David Altmaier Florida Office of Insurance Regulation.
Compliance Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.

Compliance Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.
What are the challenges of implementing ISSAIs in NAO of Estonia? Krista Zibo Audit manager of Financial Audit Department Meeting of Experts of SAIs of.

What are the challenges of implementing ISSAIs in NAO of Estonia? Krista Zibo Audit manager of Financial Audit Department Meeting of Experts of SAIs of.
PETER SCOTT CONSULTING Business Management Systemize your compliance with Rule 5 Peter Scott Peter Scott Consulting www.peterscottconsult.co.uk.

PETER SCOTT CONSULTING Business Management Systemize your compliance with Rule 5 Peter Scott Peter Scott Consulting
Systemise your compliance management Peter Scott Consulting www.peterscottconsult.co.uk.

Systemise your compliance management Peter Scott Consulting

Similar presentations

Ads by Google